Symantec researchers say the first known use of the Android "master key" vulnerability has been found in the wild. Two applications distributed on unofficial Android marketplaces in China were found to be using the exploit.
When Symantec's team first discussed the vulnerability earlier this month, which was identified by startup Bluebox Security, they said they expected attackers to exploit it quickly because of its ease-of-use. They appear to have been right on the mark.
The two applications discovered in the marketplace were legitimate apps which are meant to help people find and make doctor appointments, however an attacker seems to have added code to the apps in order to make them exploit the Android master key vulnerability.
Both of the previously legitimate applications have been infected with additional code which allows the hacker to remotely control devices, access data, send premium SMS messages, and disable security features.
By using this vulnerability, the hacker modified the applications by adding a new classes.dex file which contains the code, as well as a new manifest file which specifies permissions.
The attackers ability to send out premium texts is one of the most concerning aspects of the exploit. Each premium text that is sent out because of this code will incur a charge, although all of the fees will be directed to the attacker and not to the carrier.
When Symantec first announced that they had discovered this type of flaw, Google automatically released a patch which would protect devices. Even though the patch prevents Nexus devices against attacks, manufacturers still have to push out updates with the patch to non-Nexus phones.
The process of sending out updates can sometimes take months, no matter how important the update is to a device. Millions of Android devices either never receive updates or they receive very few updates, resulting in continuous vulnerabilities to many different attacks.
This type of delay has been one of the major criticisms of Android especially recently, and has resulted in many people praising Apple because of how fast and easily it is able to push out security updates to all of their devices.
Many users are now demanding that carriers and phone manufacturers find a new way of receiving and pushing out important security-based updates. Although design changes require a lot of custom tailoring to individual phones, security updates should take far less time to distribute.
Protecting Your Device
Since it could take months for a security update to be implement on all Android phones, there are a few ways to protect your device from attacks like this one.
Simply downloading Norton Security antivirus should keep any infected applications from harming your device. Another alternative is the Bluebox Security Scanner, which should also provide the necessary protection.
Users with a Nexus or Samsung device will have already had the patch sent out to their phone, but taking these precautions is important for users with any other type of device.